Statement on Standards for Attestation Engagement (SSAE) 18

SOC 1 Reports


SOC 1 reports, are designed to provide external parties, such as partners and customers assurance that a company’s internal controls over financial reporting are appropriate and operating effectively. SOC 1 reports are a great way to gain confidence that you’re doing all of the right things. This can help your customers gain trust in you as a service provider.

The report scope should cover the information systems processes that are utilized to deliver the services under review. There are 2 types of SOC1 reports:

SOC1 Type I: This option evaluated and reports on the design of controls put into operation as of a point in time. The Type I report merely provides a description of your company, the internal control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time the report was issued. It provides very little value to your customers/partners because it does not provide an opinion on whether you’re actually following your own policies and procedures. Type I reports are usually just a stepping stone to the much stronger SOC 1 Type II.

SOC1 Type II: Includes the design and testing of controls to report on the operational effectiveness of controls over a period of time (typically 12 months). It provides clients in highly regulated industries documentable assurances that their confidential customer data is being handled correctly. Hence, SOC 1 Type II is typically much more valuable to external parties.

Related Articles